I was going through the phx.gen.auth code (all defaults, no changes) and I have a question. It looks like the generated session user_token never expires and unless a user logs out with that specific session still in cookies, it is never removed from the database. I know this isn’t supposed to be the end-all auth solution, but it seems like an avoidable security issue (never-expiring access token) and storage issue (if a site has many users all creating many sessions, it seems like it could get unwieldy). Am I missing something?
1 Like
The validity is checked in the verify_session_token/1 function (here).
The default is 60 days.
1 Like
ah! Ok, thank you. Do you recommend setting up some sort of db trigger to delete old tokens?
There are a few things, which I wasn’t all too happy with the default gen_auth output (have some pull-requests to put eventually up) and this was one of them.
I don’t think you can have a periodic / time-based “triggers” in your DB. At least not in Postgres. Although I admit I haven’t dug the more recent docs so might be that something changed.
OTOH I don’t really feel like this being a DB responsibility, even if it should theoretically be more efficient.
Therefore in my cases I have a “janitor” GenServer that periodically walks over all the stuff that might need some action upon it. One of its duties is cleaning up expired user tokens, preventing accumulation of such cruft.
2 Likes
Seeing that the remember me cookie uses the same token, if you wanted to increase it’s max_age you’d need to change this as well, right?
